From b0ec7edf1dd69eaf5ec30a1a5f6e8db7ecfa3024 Mon Sep 17 00:00:00 2001 From: liushuobj Date: Mon, 18 May 2020 10:58:17 +0800 Subject: [PATCH] Fix admin can not delete other user's secrets Change-Id: I1f996cc50c2b4667c18d495b4ca422a40e594cff --- barbican/api/controllers/secrets.py | 6 ++++++ releasenotes/notes/fix-story-2006978-aa5f2r9cqpfa0tm8.yaml | 6 ++++++ 2 files changed, 12 insertions(+) create mode 100644 releasenotes/notes/fix-story-2006978-aa5f2r9cqpfa0tm8.yaml diff --git a/barbican/api/controllers/secrets.py b/barbican/api/controllers/secrets.py index 27b5a814b..a74ff40c7 100644 --- a/barbican/api/controllers/secrets.py +++ b/barbican/api/controllers/secrets.py @@ -260,6 +260,12 @@ class SecretController(controllers.ACLMixin): self.secret.id, suppress_exception=True ) + + # With ACL support, the user token project does not have to be same as + # project associated with secret. The lookup project_id needs to be + # derived from the secret's data considering authorization is already + # done. + external_project_id = self.secret.project.external_id plugin.delete_secret(self.secret, external_project_id) LOG.info('Deleted secret for project: %s', external_project_id) diff --git a/releasenotes/notes/fix-story-2006978-aa5f2r9cqpfa0tm8.yaml b/releasenotes/notes/fix-story-2006978-aa5f2r9cqpfa0tm8.yaml new file mode 100644 index 000000000..725925812 --- /dev/null +++ b/releasenotes/notes/fix-story-2006978-aa5f2r9cqpfa0tm8.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + Fixed Story #2006978: An admin user now can delete other users secrets + by adjust the policy file. +